Greatsearch.biz is killing me

I could not find any reg33.exe files, but I did delete krnldbge.dll from SYSTEM32/Config and SHIMGVWR.DLL from SYSTEM32. Also I've deleted the Services.exe file and one other .exe file both from SYSTEM32\CONFIG. These were all bad files connected to the greatsearch.biz, but also part of a virus called TROJ_BANKER.J A friend pointed this out to me. When I went into Safe Mode and deleted this stuff, he walked me through some regedit deletions, too, including deleting the file CURENT USER (not CURRENT USER) which is part of it, too.

So then in Safe Mode I ran HT and deleted all the greatsearch.biz links, and ran HT again and it came up clean. But when I rebooted, you can see it came back, even though all the deleted files are still gone. This thing is relentless. My ad-watch fires ten times in a row every five minutes. Has anyone actually gotten rid of this?

I was infected with the Win32.Mersting.B (CoolWebSearch hijacker) trojan and I seem to have got rid of it. Your problem isn't the same as mine so I wouldn't know but here are some steps that might help:

If you haven't already identified the malicious DLL file that keeps generating these search pages, do so now:1) Go to C:\WINDOWS\system32\2) Go to View > Choose Details > and checked the box that says "Created". This will allow you to arrange your icons by the date CREATED. The DLL file that infected my computer was created on May 13, 2004.3) Now right-click and choose Arrange Icons > Created4) Depending on whether your files are listed in reverse chronological order or not, the most recently created DLL files should either be at the top or bottom. If you remember when your problem started, then look for a file that was created on that day. Another hint is that when you hover over the malicious file, it usually has no company name or additional info and looks generally suspicious.5) Once you've located this file, you'll need a program called KillBox to kill it, because it can't be deleted the regular way. If you have KillBox, type in the address of your malicious file (C:\WINDOWS\system32\nameofyourfile.dll) into the address bar, and then go to Action > Delete On Reboot.6) A window will pop up. Go to File > Add File and your file should be added into the blank space. Then go to Action > Process and Reboot. A message prompt you to reboot your PC. Reboot your PC as told and once that's over, your malicious file should be deleted.

7) BUT that's only the visible file. And the trick is that there is one remaining malicious file which is HIDDEN. It'll be somewhere in your System32 folder but you won't be able to see it, let alone know its name. To get round this, you'll need a program called Registrar Lite (see links below). 8) Download RegLite, then type this into the address bar at the top:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLsOnce you've done that, a list of register keys will come up. Double click on AppInit_DLLs and in the "value" field, you should see the name of your hidden malicious file like this - C:\WINDOWS\system32\nameofyourfile.dll9) The next step is kinda tricky because I don't think what worked for me will necessarily work for you but anyway, give it a try. Note down the name of your malicious file, and look for it in C:\WINDOWS\system32. IF your hidden file is now visible, do what I did....

10) Right-click on your file and rename it from "nameofyourfile.dll" to "nameofyourfile.doc" (ie. keep the filename so you can find it but change the DLL). you won't be able to change the attributes because your file is in read-only mode.11) Once you've done that, go to your C drive, right-click and go to New > Folder. Give your folder a name, and I suggest you use the filename of your malicious file. So if your malicious file is called "ijmbwp.dll", call your folder "ijmbwp". 12) Go back to C:\WINDOWS\System32. Locate your file again, right-click then COPY and PASTE it into the new folder you've just created in step 11. Then press the "back" button, highlight that folder and move the whole thing into the recycle bin. Now empty your recycle bin. Your second malicious file should now be removed. But just to double check, go to Start > Search and type in the name of your file. If you find any files left with that name, delete them all.13) Finally, run Spybot, Ad-Aware and HijackThis just to make sure you've deleted all the components associated with your trojan.14) Your homepage should now be back to your own default, and the trojan should be gone. Some additional DLL files may have been created along with the two files you previously deleted but these can easily be removed from your System32 folder, but I'd recommend scanning your PC with a free virus scan from TrendMicro.

If none of that works, then maybe my solution doesn't apply to you but there are some helpful tips here anyway and I hardly think this problem is uniquely yours. In the meantime, get yourself an antivirus software (if you haven't already got one) and run Ad-Aware, Spybot, etc. at LEAST once a week.

BTW, keep in mind that anti-spyware programs and CWShredder will NOT remove the trojan from your computer. You really need to seek out those malicious DLL files and destroy them or else the problem will persist, one way or another.

What happens if you deleted the files the regular way, or in Safe Mode, but not the hidden file? I can't find any of the files I deleted, so they aren't coming back, but the hidden file must still be there. If I find and destroy that, will it still work?

No one ever mentioned Killbox before, so I hope deleting them the regular way didn't make them hide further or something.

All right. I was wishing there was some way to check to see any files created at a specific time. I know exactly when I got infected, and I found two files in the SYSTEM32 file that were created within a minute of each other -- One is system32.dll and the other is I believe an .exe file, the blue DOS box and it's named appsys. Should I use Killbox on both of those?

Okay, well, I followed all your instructions, and got rid of those last two malicious files, then I did the reglite thing but the only thing that came up when I double-clicked in the value-name part was AppInit_DLLs, so I don't know what to do next.

But, getting rid of those last malicious files seemed to do the trick for now, at least. No more hijacks so far. Thanks.